Full Report
Wiz CIRT and Wiz Research detail JINX-0164, a threat actor using LinkedIn social engineering, custom macOS malware, and CI/CD hijacking to target cryptocurrency organizations.
Analysis Summary
This summary outlines the activities and technical characteristics of JINX-0164 based on the provided threat intelligence report.
# Threat Actor: JINX-0164
## Attribution & Identity
* **Identification:** JINX-0164 is a newly identified threat actor first detailed by Wiz CIRT and Wiz Research.
* **Known Aliases:** Associated with activities previously reported as "Velora" (StepSecurity) and "MiniRAT" (iru).
* **Key Characteristics:** Highly proficient in macOS environments, social engineering via professional networks, and CI/CD infrastructure exploitation.
## Activity Summary
* **Timeline:** Active since at least mid-2025, with landmark intrusions occurring in early 2026.
* **Campaigns:** Sophisticated recruitment and business partnership-themed social engineering campaigns targeting cryptocurrency developers.
* **Operations:** Focuses on gaining initial access to endpoints to pivot into software development lifecycles, leading to source code modification and supply chain attacks.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses credible or hijacked LinkedIn profiles to establish trust and invite targets to virtual meetings.
* **Initial Access:** Delivery of malicious payloads via fake teleconferencing links or driver-store domains ([T1566.002](https://attack.mitre.org/techniques/T1566/002/)).
* **Persistence:** Uses `launchctl` to maintain access on macOS systems ([T1543.001](https://attack.mitre.org/techniques/T1543/001/)).
* **Credential Access:** Employs XOR-encoded password phishing via local terminal caches (`.zsh_cache`) and infostealer capabilities.
* **Lateral Movement:** Moves from compromised developer laptops to CI/CD pipelines and internal code repositories ([T1537](https://attack.mitre.org/techniques/T1537/)).
* **Evasion:** Routs C2 traffic through commercial VPN services (Mullvad, Astrill, Express VPN) to mask origin IPs.
## Targeting
* **Sectors:** Cryptocurrency, Fintech, and Software Development.
* **Geography:** Global (targeting digital-first organizations).
* **Victims:** Specifically targets software developers and CI/CD infrastructure to facilitate supply chain compromises.
## Tools & Infrastructure
* **Malware Families:**
* **AUDIOFIX:** A Python-based macOS infostealer/RAT masquerading as a system audio driver (`coreaudiod`) or `ChromeUpdater`.
* **MiniRAT:** A lightweight backdoor used for initial command execution.
* **Infrastructure:**
* `apple.driver-store[.]com` (Payload delivery)
* Fake conferencing domains (e.g., impersonating Microsoft Teams)
* C2 communication over HTTPS.
## Implications
JINX-0164 represents a high-tier financial threat focusing on the "upstream" compromise of software. By pivoting from a single employee's LinkedIn message to a CI/CD hijack, the actor can automate the distribution of malware to an entire user base, turning a standard theft attempt into a broad-scale supply chain risk.
## Mitigations
* **Network Security:** Implement strict egress filtering and monitor/limit traffic from known commercial VPN exit nodes in corporate environments.
* **Endpoint Defense:** Deploy macOS-specific EDR (Endpoint Detection and Response) to monitor for suspicious `launchctl` activity and unsigned Python scripts executing as system drivers.
* **Identity & Access:** Enforce hardware-based MFA for CI/CD access and internal code repositories to prevent stolen credentials from being used for lateral movement.
* **Social Engineering Awareness:** Educate employees, particularly developers, on "recruitment" scams and the risks of downloading meeting software from unofficial links provided via LinkedIn or DM.